docs: update for v1.5.0 features

- Add PKI audit logging, request duration metrics to features list
- Update test count from 216 to 283
- Add audit.py and metrics.py to project structure
- Document audit logging in api.md
- Update TASKLIST.md with completed tasks
- Update TODO.md (remove resolved debt items)
- Update ROADMAP.md decision log

README.md

@@ -22,6 +22,8 @@ A lightweight, secure pastebin REST API built with Flask.
 - **Security headers** - HSTS, CSP, X-Frame-Options, X-Content-Type-Options
 - **CLI client** - Standalone `fpaste` tool with encryption support
 - **Request tracing** - X-Request-ID for log correlation
+- **Audit logging** - PKI certificate lifecycle events (issue, revoke, auth failure)
+- **Observability** - Request duration metrics via Prometheus histogram
 - **Minimal dependencies** - Flask + SQLite, optional cryptography for CLI
 
 ## Quick Start
@@ -356,10 +358,12 @@ flaskpaste/
 │   ├── __init__.py      # Flask app factory
 │   ├── config.py        # Configuration classes
 │   ├── database.py      # SQLite management
+│   ├── audit.py         # Audit logging for PKI events
+│   ├── metrics.py       # Prometheus metrics and histograms
 │   └── api/
 │       ├── __init__.py  # Blueprint setup
 │       └── routes.py    # API endpoints
-├── tests/               # Test suite
+├── tests/               # Test suite (283 tests)
 ├── data/                # SQLite database
 ├── run.py               # Development server
 ├── wsgi.py              # Production WSGI entry
@@ -384,6 +388,8 @@ flaskpaste/
 - **Rate limiting** - Per-IP throttling with auth multiplier
 - **Request tracing** - X-Request-ID for log correlation
 - **PKI support** - Built-in CA for client certificate issuance
+- **Audit logging** - PKI certificate events for compliance and forensics
+- **Observability** - Prometheus metrics for monitoring and alerting
 
 ## License